Let me edit for brevity, and then take a wild stab at answering what I
think is your question...
On Thu, Oct 16, 2003 at 12:23:18PM -0400, John Holmblad wrote:
> All,
>> I recently made a modification to my Linksys router (BEFSX41) to
> explicitly filter (by configuring a new filter using the filters tab on
> the www browser based control console for the Linksys router) incoming
> packets targeted to UDP port 1026 on my router and coming from the
> Internet.
You are now "filtering" (i.e. stopping) incoming packets to UDP:1026..
/* snip */
> I now realize that these "hits" were
> probably of that kind and that these submissions may have somehow
> contributed to DShield's statistics, and, in turn, Microsoft's awareness
> that something was going on with respect to a vulnerability in the
> Messenger service.
Don't think for one second that Micro$oft pays any attention to what
dshield shows as active vulnerabilities...
> One side effect of this new filtering rule in my router appears to be
> that my daily submissions to Dshield via the CVTWIN software no longer
> report such "hits".
OK: you're "filtering" them (see above), so how would dshield know
about them?
> This diminution of Dshield submission volume was
> a surprising result to me
Why?
> especially because, when I use the
> aforementioned Linksys "www browser based control console" to examine
> the log file entries, such "hits", which formerly appeared in green type
> font, are now in red, indicating that they were stopped by a filtering
> rule!
OK: what are we missing here? Your rule stops the packets; Linksys
reports them as having been seen on your exterior interface, but they
were not accepted.
> Obviously, red should be of more concern than green, so why don't
> these log entries, which are now flagged in read type font, get into my
> submissions to Dshield?
Because you're filtering them out.
/* snip */
Is your primary goal to supply dshield with comprehensive reports, or
to protect your system(s)?
- John
--
"Most people don't type their own logfiles; but, what do I care?"
-
John Sage: InfoSec Groupie
-
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
-
ATTENTION: this entire message is privileged communication, intended
for the sole use of its recipients only. If you read it even though
you know you aren't supposed to, you're a poopy-head.